<!DOCTYPE html><html><head>
      <title>policy</title>
      <meta charset="utf-8">
      <meta name="viewport" content="width=device-width, initial-scale=1.0">
      
      <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/katex@0.11.1/dist/katex.min.css">
      
      

      
      
      
      
      
      
      

      <style>
      /**
 * prism.js Github theme based on GitHub's theme.
 * @author Sam Clarke
 */
code[class*="language-"],
pre[class*="language-"] {
  color: #333;
  background: none;
  font-family: Consolas, "Liberation Mono", Menlo, Courier, monospace;
  text-align: left;
  white-space: pre;
  word-spacing: normal;
  word-break: normal;
  word-wrap: normal;
  line-height: 1.4;

  -moz-tab-size: 8;
  -o-tab-size: 8;
  tab-size: 8;

  -webkit-hyphens: none;
  -moz-hyphens: none;
  -ms-hyphens: none;
  hyphens: none;
}

/* Code blocks */
pre[class*="language-"] {
  padding: .8em;
  overflow: auto;
  /* border: 1px solid #ddd; */
  border-radius: 3px;
  /* background: #fff; */
  background: #f5f5f5;
}

/* Inline code */
:not(pre) > code[class*="language-"] {
  padding: .1em;
  border-radius: .3em;
  white-space: normal;
  background: #f5f5f5;
}

.token.comment,
.token.blockquote {
  color: #969896;
}

.token.cdata {
  color: #183691;
}

.token.doctype,
.token.punctuation,
.token.variable,
.token.macro.property {
  color: #333;
}

.token.operator,
.token.important,
.token.keyword,
.token.rule,
.token.builtin {
  color: #a71d5d;
}

.token.string,
.token.url,
.token.regex,
.token.attr-value {
  color: #183691;
}

.token.property,
.token.number,
.token.boolean,
.token.entity,
.token.atrule,
.token.constant,
.token.symbol,
.token.command,
.token.code {
  color: #0086b3;
}

.token.tag,
.token.selector,
.token.prolog {
  color: #63a35c;
}

.token.function,
.token.namespace,
.token.pseudo-element,
.token.class,
.token.class-name,
.token.pseudo-class,
.token.id,
.token.url-reference .token.variable,
.token.attr-name {
  color: #795da3;
}

.token.entity {
  cursor: help;
}

.token.title,
.token.title .token.punctuation {
  font-weight: bold;
  color: #1d3e81;
}

.token.list {
  color: #ed6a43;
}

.token.inserted {
  background-color: #eaffea;
  color: #55a532;
}

.token.deleted {
  background-color: #ffecec;
  color: #bd2c00;
}

.token.bold {
  font-weight: bold;
}

.token.italic {
  font-style: italic;
}


/* JSON */
.language-json .token.property {
  color: #183691;
}

.language-markup .token.tag .token.punctuation {
  color: #333;
}

/* CSS */
code.language-css,
.language-css .token.function {
  color: #0086b3;
}

/* YAML */
.language-yaml .token.atrule {
  color: #63a35c;
}

code.language-yaml {
  color: #183691;
}

/* Ruby */
.language-ruby .token.function {
  color: #333;
}

/* Markdown */
.language-markdown .token.url {
  color: #795da3;
}

/* Makefile */
.language-makefile .token.symbol {
  color: #795da3;
}

.language-makefile .token.variable {
  color: #183691;
}

.language-makefile .token.builtin {
  color: #0086b3;
}

/* Bash */
.language-bash .token.keyword {
  color: #0086b3;
}

/* highlight */
pre[data-line] {
  position: relative;
  padding: 1em 0 1em 3em;
}
pre[data-line] .line-highlight-wrapper {
  position: absolute;
  top: 0;
  left: 0;
  background-color: transparent;
  display: block;
  width: 100%;
}

pre[data-line] .line-highlight {
  position: absolute;
  left: 0;
  right: 0;
  padding: inherit 0;
  margin-top: 1em;
  background: hsla(24, 20%, 50%,.08);
  background: linear-gradient(to right, hsla(24, 20%, 50%,.1) 70%, hsla(24, 20%, 50%,0));
  pointer-events: none;
  line-height: inherit;
  white-space: pre;
}

pre[data-line] .line-highlight:before, 
pre[data-line] .line-highlight[data-end]:after {
  content: attr(data-start);
  position: absolute;
  top: .4em;
  left: .6em;
  min-width: 1em;
  padding: 0 .5em;
  background-color: hsla(24, 20%, 50%,.4);
  color: hsl(24, 20%, 95%);
  font: bold 65%/1.5 sans-serif;
  text-align: center;
  vertical-align: .3em;
  border-radius: 999px;
  text-shadow: none;
  box-shadow: 0 1px white;
}

pre[data-line] .line-highlight[data-end]:after {
  content: attr(data-end);
  top: auto;
  bottom: .4em;
}html body{font-family:"Helvetica Neue",Helvetica,"Segoe UI",Arial,freesans,sans-serif;font-size:16px;line-height:1.6;color:#333;background-color:#fff;overflow:initial;box-sizing:border-box;word-wrap:break-word}html body>:first-child{margin-top:0}html body h1,html body h2,html body h3,html body h4,html body h5,html body h6{line-height:1.2;margin-top:1em;margin-bottom:16px;color:#000}html body h1{font-size:2.25em;font-weight:300;padding-bottom:.3em}html body h2{font-size:1.75em;font-weight:400;padding-bottom:.3em}html body h3{font-size:1.5em;font-weight:500}html body h4{font-size:1.25em;font-weight:600}html body h5{font-size:1.1em;font-weight:600}html body h6{font-size:1em;font-weight:600}html body h1,html body h2,html body h3,html body h4,html body h5{font-weight:600}html body h5{font-size:1em}html body h6{color:#5c5c5c}html body strong{color:#000}html body del{color:#5c5c5c}html body a:not([href]){color:inherit;text-decoration:none}html body a{color:#08c;text-decoration:none}html body a:hover{color:#00a3f5;text-decoration:none}html body img{max-width:100%}html body>p{margin-top:0;margin-bottom:16px;word-wrap:break-word}html body>ul,html body>ol{margin-bottom:16px}html body ul,html body ol{padding-left:2em}html body ul.no-list,html body ol.no-list{padding:0;list-style-type:none}html body ul ul,html body ul ol,html body ol ol,html body ol ul{margin-top:0;margin-bottom:0}html body li{margin-bottom:0}html body li.task-list-item{list-style:none}html body li>p{margin-top:0;margin-bottom:0}html body .task-list-item-checkbox{margin:0 .2em .25em -1.8em;vertical-align:middle}html body .task-list-item-checkbox:hover{cursor:pointer}html body blockquote{margin:16px 0;font-size:inherit;padding:0 15px;color:#5c5c5c;border-left:4px solid #d6d6d6}html body blockquote>:first-child{margin-top:0}html body blockquote>:last-child{margin-bottom:0}html body hr{height:4px;margin:32px 0;background-color:#d6d6d6;border:0 none}html body table{margin:10px 0 15px 0;border-collapse:collapse;border-spacing:0;display:block;width:100%;overflow:auto;word-break:normal;word-break:keep-all}html body table th{font-weight:bold;color:#000}html body table td,html body table th{border:1px solid #d6d6d6;padding:6px 13px}html body dl{padding:0}html body dl dt{padding:0;margin-top:16px;font-size:1em;font-style:italic;font-weight:bold}html body dl dd{padding:0 16px;margin-bottom:16px}html body code{font-family:Menlo,Monaco,Consolas,'Courier New',monospace;font-size:.85em !important;color:#000;background-color:#f0f0f0;border-radius:3px;padding:.2em 0}html body code::before,html body code::after{letter-spacing:-0.2em;content:"\00a0"}html body pre>code{padding:0;margin:0;font-size:.85em !important;word-break:normal;white-space:pre;background:transparent;border:0}html body .highlight{margin-bottom:16px}html body .highlight pre,html body pre{padding:1em;overflow:auto;font-size:.85em !important;line-height:1.45;border:#d6d6d6;border-radius:3px}html body .highlight pre{margin-bottom:0;word-break:normal}html body pre code,html body pre tt{display:inline;max-width:initial;padding:0;margin:0;overflow:initial;line-height:inherit;word-wrap:normal;background-color:transparent;border:0}html body pre code:before,html body pre tt:before,html body pre code:after,html body pre tt:after{content:normal}html body p,html body blockquote,html body ul,html body ol,html body dl,html body pre{margin-top:0;margin-bottom:16px}html body kbd{color:#000;border:1px solid #d6d6d6;border-bottom:2px solid #c7c7c7;padding:2px 4px;background-color:#f0f0f0;border-radius:3px}@media print{html body{background-color:#fff}html body h1,html body h2,html body h3,html body h4,html body h5,html body h6{color:#000;page-break-after:avoid}html body blockquote{color:#5c5c5c}html body pre{page-break-inside:avoid}html body table{display:table}html body img{display:block;max-width:100%;max-height:100%}html body pre,html body code{word-wrap:break-word;white-space:pre}}.markdown-preview{width:100%;height:100%;box-sizing:border-box}.markdown-preview .pagebreak,.markdown-preview .newpage{page-break-before:always}.markdown-preview pre.line-numbers{position:relative;padding-left:3.8em;counter-reset:linenumber}.markdown-preview pre.line-numbers>code{position:relative}.markdown-preview pre.line-numbers .line-numbers-rows{position:absolute;pointer-events:none;top:1em;font-size:100%;left:0;width:3em;letter-spacing:-1px;border-right:1px solid #999;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none}.markdown-preview pre.line-numbers .line-numbers-rows>span{pointer-events:none;display:block;counter-increment:linenumber}.markdown-preview pre.line-numbers .line-numbers-rows>span:before{content:counter(linenumber);color:#999;display:block;padding-right:.8em;text-align:right}.markdown-preview .mathjax-exps .MathJax_Display{text-align:center !important}.markdown-preview:not([for="preview"]) .code-chunk .btn-group{display:none}.markdown-preview:not([for="preview"]) .code-chunk .status{display:none}.markdown-preview:not([for="preview"]) .code-chunk .output-div{margin-bottom:16px}.scrollbar-style::-webkit-scrollbar{width:8px}.scrollbar-style::-webkit-scrollbar-track{border-radius:10px;background-color:transparent}.scrollbar-style::-webkit-scrollbar-thumb{border-radius:5px;background-color:rgba(150,150,150,0.66);border:4px solid rgba(150,150,150,0.66);background-clip:content-box}html body[for="html-export"]:not([data-presentation-mode]){position:relative;width:100%;height:100%;top:0;left:0;margin:0;padding:0;overflow:auto}html body[for="html-export"]:not([data-presentation-mode]) .markdown-preview{position:relative;top:0}@media screen and (min-width:914px){html body[for="html-export"]:not([data-presentation-mode]) .markdown-preview{padding:2em calc(50% - 457px + 2em)}}@media screen and (max-width:914px){html body[for="html-export"]:not([data-presentation-mode]) .markdown-preview{padding:2em}}@media screen and (max-width:450px){html body[for="html-export"]:not([data-presentation-mode]) .markdown-preview{font-size:14px !important;padding:1em}}@media print{html body[for="html-export"]:not([data-presentation-mode]) #sidebar-toc-btn{display:none}}html body[for="html-export"]:not([data-presentation-mode]) #sidebar-toc-btn{position:fixed;bottom:8px;left:8px;font-size:28px;cursor:pointer;color:inherit;z-index:99;width:32px;text-align:center;opacity:.4}html body[for="html-export"]:not([data-presentation-mode])[html-show-sidebar-toc] #sidebar-toc-btn{opacity:1}html body[for="html-export"]:not([data-presentation-mode])[html-show-sidebar-toc] .md-sidebar-toc{position:fixed;top:0;left:0;width:300px;height:100%;padding:32px 0 48px 0;font-size:14px;box-shadow:0 0 4px rgba(150,150,150,0.33);box-sizing:border-box;overflow:auto;background-color:inherit}html body[for="html-export"]:not([data-presentation-mode])[html-show-sidebar-toc] .md-sidebar-toc::-webkit-scrollbar{width:8px}html body[for="html-export"]:not([data-presentation-mode])[html-show-sidebar-toc] .md-sidebar-toc::-webkit-scrollbar-track{border-radius:10px;background-color:transparent}html body[for="html-export"]:not([data-presentation-mode])[html-show-sidebar-toc] .md-sidebar-toc::-webkit-scrollbar-thumb{border-radius:5px;background-color:rgba(150,150,150,0.66);border:4px solid rgba(150,150,150,0.66);background-clip:content-box}html body[for="html-export"]:not([data-presentation-mode])[html-show-sidebar-toc] .md-sidebar-toc a{text-decoration:none}html body[for="html-export"]:not([data-presentation-mode])[html-show-sidebar-toc] .md-sidebar-toc ul{padding:0 1.6em;margin-top:.8em}html body[for="html-export"]:not([data-presentation-mode])[html-show-sidebar-toc] .md-sidebar-toc li{margin-bottom:.8em}html body[for="html-export"]:not([data-presentation-mode])[html-show-sidebar-toc] .md-sidebar-toc ul{list-style-type:none}html body[for="html-export"]:not([data-presentation-mode])[html-show-sidebar-toc] .markdown-preview{left:300px;width:calc(100% -  300px);padding:2em calc(50% - 457px -  150px);margin:0;box-sizing:border-box}@media screen and (max-width:1274px){html body[for="html-export"]:not([data-presentation-mode])[html-show-sidebar-toc] .markdown-preview{padding:2em}}@media screen and (max-width:450px){html body[for="html-export"]:not([data-presentation-mode])[html-show-sidebar-toc] .markdown-preview{width:100%}}html body[for="html-export"]:not([data-presentation-mode]):not([html-show-sidebar-toc]) .markdown-preview{left:50%;transform:translateX(-50%)}html body[for="html-export"]:not([data-presentation-mode]):not([html-show-sidebar-toc]) .md-sidebar-toc{display:none}
/* Please visit the URL below for more information: */
/*   https://shd101wyy.github.io/markdown-preview-enhanced/#/customize-css */

      </style>
    </head>
    <body for="html-export">
      <div class="mume markdown-preview  ">
      <p>&#x8BE5;Content-Security-Policy&#x5143;&#x6807;&#x8BB0;&#x53EF;&#x4EE5;&#x8BA9;&#x4F60;&#x51CF;&#x5C11;&#x98CE;&#x9669;XSS&#x5141;&#x8BB8;&#x4F60;&#x5B9A;&#x4E49;&#x5728;&#x8D44;&#x6E90;&#x53EF;&#x4EE5;&#x88AB;&#x52A0;&#x8F7D;&#xFF0C;&#x4ECE;&#x800C;&#x9632;&#x6B62;&#x6570;&#x636E;&#x52A0;&#x8F7D;&#x6D4F;&#x89C8;&#x5668;&#x4ECE;&#x4EFB;&#x4F55;&#x5176;&#x5B83;&#x4F4D;&#x7F6E;&#x7684;&#x653B;&#x51FB;&#x3002;<br>
&#x8FD9;&#x4F7F;&#x653B;&#x51FB;&#x8005;&#x66F4;&#x96BE;&#x5C06;&#x6076;&#x610F;&#x4EE3;&#x7801;&#x6CE8;&#x5165;&#x60A8;&#x7684;&#x7F51;&#x7AD9;&#x3002;&#x6211;&#x649E;&#x5230;&#x4E86;&#x4E00;&#x5835;&#x7816;&#x5899;&#xFF0C;&#x8BD5;&#x56FE;&#x5F04;&#x6E05;&#x695A;&#x4E3A;&#x4EC0;&#x4E48;&#x6211;&#x4E00;&#x4E2A;&#x63A5;&#x4E00;&#x4E2A;&#x5730;&#x5F97;&#x5230;CSP&#x9519;&#x8BEF;&#xFF0C;&#x4F3C;&#x4E4E;&#x6CA1;&#x6709;&#x4EFB;&#x4F55;&#x7B80;&#x660E;&#x627C;&#x8981;&#x7684;&#x6307;&#x793A;&#xFF0C;&#x8BF4;&#x660E;&#x5B83;&#x662F;&#x5982;&#x4F55;&#x5DE5;&#x4F5C;&#x7684;&#x3002;<br>
&#x6240;&#x4EE5;&#x8FD9;&#x662F;&#x6211;&#x5C1D;&#x8BD5;&#x7B80;&#x8981;&#x89E3;&#x91CA;CSP&#x7684;&#x4E00;&#x4E9B;&#x8981;&#x70B9;&#xFF0C;&#x4E3B;&#x8981;&#x96C6;&#x4E2D;&#x5728;&#x6211;&#x53D1;&#x73B0;&#x5F88;&#x96BE;&#x89E3;&#x51B3;&#x7684;&#x95EE;&#x9898;&#x4E0A;&#x3002;&#x4E3A;&#x7B80;&#x6D01;&#x8D77;&#x89C1;&#xFF0C;&#x6211;&#x4E0D;&#x4F1A;&#x5728;&#x6BCF;&#x4E2A;&#x6837;&#x672C;&#x4E2D;&#x5199;&#x51FA;&#x5B8C;&#x6574;&#x7684;&#x6807;&#x7B7E;&#x3002;<br>
&#x76F8;&#x53CD;&#xFF0C;&#x6211;&#x53EA;&#x4F1A;&#x663E;&#x793A;content&#x5C5E;&#x6027;&#xFF0C;&#x6240;&#x4EE5;&#x8BF4;&#x660E;&#x7684;&#x6837;&#x672C;content=&quot;default-src &apos;self&apos;&quot;<br>
&#x610F;&#x5473;&#x7740;&#xFF1A;<meta http-equiv="Content-Security-Policy" content="default-src &apos;self&apos;"><br>
1.&#x5982;&#x4F55;&#x5141;&#x8BB8;&#x591A;&#x4E2A;&#x6765;&#x6E90;&#xFF1F;&#x60A8;&#x53EF;&#x4EE5;&#x5728;&#x6307;&#x4EE4;&#x4E4B;&#x540E;&#x5C06;&#x6E90;&#x5217;&#x51FA;&#x4E3A;&#x7A7A;&#x683C;&#x5206;&#x9694;&#x5217;&#x8868;&#xFF1A;content=&quot;default-src &apos;self&apos; <a href="https://example.com/js/">https://example.com/js/</a>&quot;<br>
&#x8BF7;&#x6CE8;&#x610F;&#xFF0C;&#x9664;&#x4E86;&#x7279;&#x6B8A;&#x53C2;&#x6570;&#x4E4B;&#x5916;&#xFF0C;&#x53C2;&#x6570;&#x5468;&#x56F4;&#x6CA1;&#x6709;&#x5F15;&#x53F7;&#xFF0C;&#x4F8B;&#x5982;&apos;self&apos;&#x3002;&#x6B64;&#x5916;&#xFF0C;:&#x6307;&#x4EE4;&#x540E;&#x6CA1;&#x6709;&#x5192;&#x53F7;&#xFF08;&#xFF09;&#x3002;<br>
&#x53EA;&#x662F;&#x6307;&#x4EE4;&#xFF0C;&#x7136;&#x540E;&#x662F;&#x7A7A;&#x683C;&#x5206;&#x9694;&#x7684;&#x53C2;&#x6570;&#x5217;&#x8868;&#x3002;&#x9690;&#x5F0F;&#x5141;&#x8BB8;&#x4F4E;&#x4E8E;&#x6307;&#x5B9A;&#x53C2;&#x6570;&#x7684;&#x6240;&#x6709;&#x5185;&#x5BB9;&#x3002;&#x8FD9;&#x610F;&#x5473;&#x7740;&#x5728;&#x4E0A;&#x9762;&#x7684;&#x793A;&#x4F8B;&#x4E2D;&#xFF0C;&#x8FD9;&#x4E9B;&#x5C06;&#x662F;&#x6709;&#x6548;&#x7684;&#x6765;&#x6E90;&#xFF1A;<a href="https://example.com/js/file.js">https://example.com/js/file.js</a> <a href="https://example.com/js/subdir/anotherfile.js">https://example.com/js/subdir/anotherfile.js</a><br>
&#x4F46;&#x662F;&#xFF0C;&#x8FD9;&#x4E9B;&#x65E0;&#x6548;&#xFF1A;<a href="http://example.com/js/file.js%5E%5E%5E%5E">http://example.com/js/file.js^^^^</a> wrong protocol <a href="https://example.com/file.js">https://example.com/file.js</a>                    ^^ above the specified path<br>
2.&#x5982;&#x4F55;&#x4F7F;&#x7528;&#x4E0D;&#x540C;&#x7684;&#x6307;&#x4EE4;&#xFF0C;&#x5B83;&#x4EEC;&#x5404;&#x81EA;&#x505A;&#x4EC0;&#x4E48;&#xFF1F;<br>
&#x6700;&#x5E38;&#x89C1;&#x7684;&#x6307;&#x4EE4;&#x662F;&#xFF1A;default-src &#x52A0;&#x8F7D;javascript&#xFF0C;&#x56FE;&#x50CF;&#xFF0C;CSS&#xFF0C;&#x5B57;&#x4F53;&#xFF0C;AJAX&#x8BF7;&#x6C42;&#x7B49;&#x7684;&#x9ED8;&#x8BA4;&#x7B56;&#x7565;script-src &#x5B9A;&#x4E49;javascript&#x6587;&#x4EF6;&#x7684;&#x6709;&#x6548;&#x6765;&#x6E90;style-src &#x5B9A;&#x4E49;css&#x6587;&#x4EF6;&#x7684;&#x6709;&#x6548;&#x6E90;img-src &#x5B9A;&#x4E49;&#x56FE;&#x50CF;&#x7684;&#x6709;&#x6548;&#x6765;&#x6E90;connect-src&#x4E3A;XMLHttpRequest&#xFF08;AJAX&#xFF09;&#xFF0C;WebSockets&#x6216;EventSource&#x5B9A;&#x4E49;&#x6709;&#x6548;&#x76EE;&#x6807;&#x3002;&#x5982;&#x679C;&#x5C1D;&#x8BD5;&#x8FDE;&#x63A5;&#x5230;&#x6B64;&#x5904;&#x4E0D;&#x5141;&#x8BB8;&#x7684;&#x4E3B;&#x673A;&#xFF0C;&#x6D4F;&#x89C8;&#x5668;&#x5C06;&#x6A21;&#x62DF;400&#x9519;&#x8BEF;&#x8FD8;&#x6709;&#x5176;&#x4ED6;&#x4EBA;&#xFF0C;&#x4F46;&#x8FD9;&#x4E9B;&#x662F;&#x4F60;&#x6700;&#x9700;&#x8981;&#x7684;&#x3002;<br>
3.&#x5982;&#x4F55;&#x4F7F;&#x7528;&#x591A;&#x4E2A;&#x6307;&#x4EE4;&#xFF1F;&#x60A8;&#x53EF;&#x4EE5;&#x901A;&#x8FC7;&#x4F7F;&#x7528;&#x5206;&#x53F7;&#xFF08;;&#xFF09;&#x7EC8;&#x6B62;&#x5B83;&#x4EEC;&#x6765;&#x5B9A;&#x4E49;&#x4E00;&#x4E2A;&#x5143;&#x6807;&#x8BB0;&#x5185;&#x7684;&#x6240;&#x6709;&#x6307;&#x4EE4;&#xFF1A;content=&quot;default-src &apos;self&apos; <a href="https://example.com/js/;">https://example.com/js/;</a> style-src &apos;self&apos;&quot;<br>
4.&#x5982;&#x4F55;&#x5904;&#x7406;&#x7AEF;&#x53E3;&#xFF1F;&#x9664;&#x4E86;&#x9ED8;&#x8BA4;&#x7AEF;&#x53E3;&#x4E4B;&#x5916;&#x7684;&#x6240;&#x6709;&#x5185;&#x5BB9;&#x90FD;&#x9700;&#x8981;&#x901A;&#x8FC7;&#x5728;&#x5141;&#x8BB8;&#x7684;&#x57DF;&#x4E4B;&#x540E;&#x6DFB;&#x52A0;&#x7AEF;&#x53E3;&#x53F7;&#x6216;&#x661F;&#x53F7;&#x6765;&#x660E;&#x786E;&#x5141;&#x8BB8;&#xFF1A;content=&quot;default-src &apos;self&apos; <a href="https://ajax.googleapis.com">https://ajax.googleapis.com</a> <a href="http://example.com:123/free/stuff/">http://example.com:123/free/stuff/</a>&quot;&#x4EE5;&#x4E0A;&#x5C06;&#x5BFC;&#x81F4;&#xFF1A;<a href="https://ajax.googleapis.com:123">https://ajax.googleapis.com:123</a>                            ^^^^ Not ok, wrong port <a href="https://ajax.googleapis.com">https://ajax.googleapis.com</a> - OKhttp://example.com/free/stuff/file.js                  ^^ Not ok, only the port 123 is allowed <a href="http://example.com:123/free/stuff/file.js">http://example.com:123/free/stuff/file.js</a> - OK&#x6B63;&#x5982;&#x6211;&#x6240;&#x63D0;&#x5230;&#x7684;&#xFF0C;&#x60A8;&#x8FD8;&#x53EF;&#x4EE5;&#x4F7F;&#x7528;&#x661F;&#x53F7;&#x6765;&#x660E;&#x786E;&#x5141;&#x8BB8;&#x6240;&#x6709;&#x7AEF;&#x53E3;&#xFF1A;content=&quot;default-src <a href="http://example.com">example.com</a>&#x1F617;&quot;<br>
5.&#x5982;&#x4F55;&#x5904;&#x7406;&#x4E0D;&#x540C;&#x7684;&#x534F;&#x8BAE;&#xFF1F;&#x9ED8;&#x8BA4;&#x60C5;&#x51B5;&#x4E0B;&#xFF0C;&#x53EA;&#x5141;&#x8BB8;&#x4F7F;&#x7528;&#x6807;&#x51C6;&#x534F;&#x8BAE;&#x3002;&#x4F8B;&#x5982;&#xFF0C;&#x8981;&#x5141;&#x8BB8;WebSockets&#xFF0C;ws://&#x60A8;&#x5FC5;&#x987B;&#x660E;&#x786E;&#x5141;&#x8BB8;&#x5B83;&#xFF1A;content=&quot;default-src &apos;self&apos;; connect-src ws:; style-src &apos;self&apos;&quot;                                          ^^^ web sockets are now allowed on all domains and ports<br>
6.&#x5982;&#x4F55;&#x5141;&#x8BB8;&#x6587;&#x4EF6;&#x534F;&#x8BAE;file://&#xFF1F;&#x5982;&#x679C;&#x60A8;&#x5C1D;&#x8BD5;&#x5C06;&#x5176;&#x5B9A;&#x4E49;&#x4E3A;&#x6B64;&#x7C7B;&#xFF0C;&#x5219;&#x65E0;&#x6548;&#x3002;&#x76F8;&#x53CD;&#xFF0C;&#x4F60;&#x5C06;&#x4F7F;&#x7528;filesystem&#x53C2;&#x6570;&#x5141;&#x8BB8;&#x5B83;&#xFF1A;content=&quot;default-src filesystem&quot;<br>
7.&#x5982;&#x4F55;&#x4F7F;&#x7528;&#x5185;&#x8054;&#x811A;&#x672C;&#x548C;&#x6837;&#x5F0F;&#x5B9A;&#x4E49;&#xFF1F;&#x9664;&#x975E;&#x660E;&#x786E;&#x5141;&#x8BB8;&#xFF0C;&#x5426;&#x5219;&#x4E0D;&#x80FD;&#x4F7F;&#x7528;&#x5185;&#x8054;&#x6837;&#x5F0F;&#x5B9A;&#x4E49;&#xFF0C;&#x4EE3;&#x7801;&#x5185;&#x90E8;<script>标记或标记属性等onclick。你允许他们这样：content=&quot;script-src 'unsafe-inline'; style-src 'unsafe-inline'&quot;您还必须明确允许内联，base64编码的图像：content=&quot;img-src data:&quot;<br>
8.如何允许eval()？我相信很多人会说你没有，因为'评估是邪恶的'，并且最有可能导致世界即将结束。那些人会错的。当然，你可以使用eval将主要漏洞打入你网站的安全性，但它具有完全有效的用例。你只需要聪明地使用它。你允许这样：content=&quot;script-src 'unsafe-eval'&quot;<br>
9.究竟是什么'self'意思？您可能需要'self'表示localhost，本地文件系统或同一主机上的任何内容。它并不意味着任何这些。它意味着具有与定义内容策略的文件相同的方案（协议），相同主机和相同端口的源。通过HTTP服务您的站点？除非您明确定义，否则暂无https。我已经'self'在大多数例子中使用过，因为包含它通常是有意义的，但它绝不是强制性的。如果你不需要它，请把它拿出来。但是等一下！我不能只使用它content=&quot;default-src *&quot;并完成它吗？不会。除了明显的安全漏洞之外，这还会使它无法正常运行。即使有些文档声称它允许任何内容，但事实并非如此。它不允许内联或遗漏，所以真的，真的，使你的网站更容易受到攻击，你会使用这个：content=&quot;default-src * 'unsafe-inline' 'unsafe-eval'&quot;......但我相信你不会。进一步阅读：<a href="http://content-security-policy.comhttp">http://content-security-policy.comhttp</a>😕/en.wikipedia.org/wiki/Content_Security_Policy</p>
</script></p>
      </div>
      
      
    
    
    
    
    
    
    
    
  
    </body></html>